How can a small business fight phishing?

This week, we had a conversation with NOC Technology’s CEO, Jon Lober, about how NOC helps its small business clients navigate the phish-laden seas of the modern business world. Client security is NOC’s top priority, and though phishing attacks may not be the most high-tech cyberthreat, their prevalence makes them a serious issue for any business.

In our conversation, Jon explained how NOC helps its clients remain prepared against phishing attacks.

Since NOC started working to protect clients against phishing, how have the tactics and strategies of cybercriminals changed?

"They really have not changed all that much. The common denominator in phishing attacks is still the human target. Email phishing attacks began with the advent of email, and it is still easiest for phishers to attack the weakest link in a network—the human.

The main observable difference is that phishing attacks are now often far more professional and realistic. Over the past three years, the spelling errors and strange-looking logos of before have been largely eliminated. We are hearing rumors that organized phishing groups are hiring more native English-speaking users. Since they are definitely using AI to improve malicious code, it wouldn’t surprise me to hear that they’re also using it to clean up their email campaigns as well."

Why does NOC invest itself so heavily in anti-phishing efforts?

“It’s our job to protect the IT infrastructure of all of our clients. Each individual sitting at a computer is a potential breach point. As a result, the only way to protect that infrastructure is to make sure that each individual in a business is educated about how to protect their IT assets.  Like I said before, the weakest is always the end user. The data that our clients are protecting is important, and we need to make sure that an employee does not become the reason for a breach.”

What are the core components of NOC’s anti-phishing program?

“We use a multi-layer approach. Our first step is to make sure that every user in a client’s domain has the correct email configuration. Most small businesses are able to get a basic website up and running but lack the technical skills to configure things like DNS records. That leaves them open to attacks from nearly any source. By configuring these factors correctly, we can make sure that only trusted emails sources can email our clients and vice versa.

The next thing we put in place is an email firewall, which is much than just a spam filter. These AI security solutions scan every email for bad links, malicious codes, and fouled DNS records. The firewall that we use will automatically quarantine, deny, or permit an email based on the evaluated level of risk while keeping us at NOC apprised of what types of attacks are coming against our clients at any given point.

Firewall users get a regular email with an update of what is being blocked or quarantined outside of their inbox so that they can retrieve or allow emails through if they judge them to be safe. These firewalls are the only real way to make sure that every email is being checked. Large email providers like Google and Microsoft use some version of this, but NOC uses an additional solution that we believe to be even more effective.

Beyond its automated quarantining capability, the firewall also routes all clicked links through a secure sandbox environment where it can run the link code to make sure that there is nothing malicious waiting on the other end. This happens very quickly, and if everything looks safe, the user is directed to link as usual.

Next, we set up ongoing user awareness training. We send micro-trainings to everyone that has an email address in the business. These trainings arrive every other week in the employee’s inbox and are composed of a three-minute video along with five (or fewer) questions. The goal is to keep phishing at the front an employee’s mind.

To complement these trainings, we also perform simulated phishing attacks every 2-4 weeks, depending on client preferences. We install a button (marked Catch Phish), that employees can hit whenever they encounter a suspicious email. If it is a phishing simulation, fireworks go off and inform the employee that they caught a simulated phishing attack. However, if the email is not a part of the simulation and is likely a genuine phishing email, the software will warn the user and inform NOC. If the email checks out, the software will let the user know that they can safely click links in the email.

This is non-negotiable for us. These simulations provide us with great reporting on employee response to phishing attacks. With these reports, we get insight far beyond employee click rate. We can even see how far they follow the fake phishing link and whether or not they enter information that could compromise the business. These simulations help us to identify higher risk people in a business and allow us to have targeted conversations with those individuals.

Finally, we add warning banners on external emails coming into the email system in order to remind users to exercise special caution.”

What type of improvements in click rates on phishing tests do you see on average?

“Clients are ranked with a risk score between 0 and 800 (with 0 being bad). Most of our clients race to lower their scores. Those clients that invest themselves, see real improvements fairly quickly. They become more cognizant of phishing emails, both simulated and real. Through the “Catch Phish” button that I mentioned earlier, they can raise their score by finding real and suspicious emails or lower it by clicking on suspicious ones.

Most of our clients start around 350 and quickly improve. After 24 months they might get a little laxer, but they typically level out around 700, which is great. That score shows us that they are approaching emails with an appropriate amount of suspicion."

How do employees typically respond to the ongoing awareness training?

“Most employees complain that they are too busy to take it, but when leadership emphasizes the importance of the training, we often see a shift in attitude of employees. Its very important for management to enforce the importance of the training so that employees can start to embrace the training and shift the company’s cultural response to cybersecurity.”

As you look towards the future of phishing, what developments most concern you for your clients?

“It all goes back to employee buy-in, regardless of how the technology behind phishing develops. When employees do not take phishing seriously or have an attitude of ‘It won’t happen to me,’ or ‘I’m too busy, they just click the links without thinking about it. The only way to stay on ahead of the next level of phishing attacks is to use proper protections and keep yourself constantly sharp and informed.”